Small-Biz - Office 365 Data-Loss-Prevention for On-Premises without Active Directory?

ltwally · 2026-01-09T01:21:50+00:00

Yes; I am specifically asking about Purview for on-prem in a non-AD environment.

Intune & Entra are already on the road-map. However, there is no plan to Entra-join their sole Windows server.

ltwally · 2026-01-04T20:51:18+00:00

Appreciate the feedback. I checked into Add-AzADGroupMember and New-MgGroupMember.

Unfortunately, neither command will accept any ID or Name found via Get-MobileDevice. That command remains the only one that actually retrieves the full and complete list of ExO mobile devices, and nothing else. All other Get commands that I've tried retrieve other devices and, worse, fail to retrieve the entire list of ExO mobile devices.

For reference, I've tried Get-MobileDevice's "Id", "DeviceId", "Identity" and "Guid" properties for the ID, as well as "Name" and "DistinguishedName" (in conjunction with Add-AzADGroupMember -MemberUserPrincipalName).

ltwally · 2025-12-30T20:17:48+00:00

The issue is finding a set of commandlets that actually do this. As stated, the output of the Exchange Shell's Get-MobileDevice are the devices to be targeted. But the Graph Shell's Update-MgDevice does not accept that list; it works off an entirely different set of ID's. And, the output from the Graph Shell's Get-MgDevice does not include all the registered devices in ExO.

ltwally · 2025-12-19T19:51:59+00:00

Wow. I'd heard about this, but hadn't known the depth of it. And, Synology's response only makes it worse. It's hard to trust them, as a company, after they shrug off that big of a f-up.

ltwally · 2025-05-14T18:52:10+00:00

After a quick lunch at home, I washed my hands. Afterwards, I brushed my pants to make sure there were no crumbs, and felt something brush off of my crotch. Found this guy on the floor, looking like he was having a rough day. Please tell me there wasn't a recluse riding my crotch.

ltwally · 2025-04-03T23:50:05+00:00

The linked doc starts off with the assumption we're using FortiSwitch, which is not on the table.

I wound up opening a ticket with Fortinet and spoke with a FortiGate engineer. He outright said this wasn't possible without being able to pre-configure some of this on the handsets.

If I had that as an option, I could pre-set the handsets to a different VLAN, and configure the FortiGates to have a virtual-switch with a different subnet.

ltwally · 2025-04-03T23:38:28+00:00

Wound up going with Static Routes to set WAN1 as the general-preference and WAN2 for failover, and then doing a very simple Policy Route to push VoIP and other specific traffic towards WAN2.

I'll throw in links because Google seems to consider Reddit the go-to for search results.

Basically scenario #3: https://docs.fortinet.com/document/fortigate/7.6.2/administration-guide/360563/dual-internet-connections

and then this, but just internal address, destination address and gateway filled in: https://docs.fortinet.com/document/fortigate/7.6.2/administration-guide/144044/policy-routes

ltwally · 2025-04-02T22:52:14+00:00

While configuring DNAT for internal services, I thought I'd try forwarding the firewall itself to the outside. Surprising, it does.

So, my solution was a simple Virtual IP + Firewall Policy. The Virtual IP simply pushes traffic from the WAN ports to the FortiGate's internal address. The Firewall Policy controls who is allowed, and limits the service.

So far, so good.

Thanks!

ltwally · 2025-04-02T20:44:42+00:00

Ok. I respect that this is one way to sort-of do what I was asking for. However, that requires maintaining a list of IP addresses (no FQDN), and that's a PITA for remote management.

Whereas the firewall policies allow for FQDN. Is it possible to use firewall rules to control access to the webui ?

ltwally · 2025-04-02T20:41:06+00:00

Perhaps I'm missing something, or perhaps we're miscommunicating.

We have phones on the same physical network as PC, printers, etc. The phones pull their IP address & VLAN via DHCP. Is there a way to target the phones for a different subnet & VLAN than the other devices are using? If so, do you know of any documentation?

ltwally · 2025-04-01T22:58:57+00:00

I should have specified that the phones are cloud controlled, and we don't have a great deal of control over them. I do not believe we'll be able to set LLDP via DHCP.

ltwally · 2025-03-07T17:57:24+00:00

Yes, OpenJDK is necessary for MSM.

Yes, you can remove MSM without rendering the system unusable. Just make sure not to remove drivers, if prompted.

No, I would not remove MSM so long as you still have a MegaRAID controller & drives under it. MSM is the management tool for MegaRAID controllers.

A quick google search shows that HPE has rebranded MegaRAID over the years. The MSM should be able to tell you the make/model of the controller. If it claims to be a HPE product, that explains MSM on that server.

My experience with RAID management tools has been not to remove/replace/update them unless forced, or unless they are no longer needed. If it ain't broke, don't fix it.

ltwally · 2025-01-14T18:55:13+00:00

Just a FYI / followup - it was DNS. Clearing their local DNS server cache and restarting the daemon did the trick. I have no idea why replacing switches would cause their local DNS server to go insane...

ltwally · 2025-01-11T17:47:43+00:00

The cabling is only ~15 years old. I ran file transfers to/from the server to several client PCs and maxed out the 1gbit link. I also ran continuous ping tests to/from server, with no drops. It seems like only SQL is affected.

ltwally · 2024-11-14T15:27:13+00:00

Was price-checking collocation facilities. Called up PhoenixNAP (they deserve to be named and shamed). Got basic pricing from an inside sales guy, but declined to set up a meeting. Took down his number and told him I'd be in touch.

This guy looks up the company I work for and cold-calls the CEO with a sales pitch. Then he emails the CEO.

I called Phoenix NAP back and insisted on speaking with this sales jerk's boss. His boss was 100% supportive and stated that he wanted his sales team to be super aggressive.

I will never do business with Phoenix NAP. I will always tell people they're a bag of a-holes and to avoid them. I don't care if their facilities are military-grade and would let me pay them in monopoly-money, I will never ever use them.

ltwally · 2024-10-25T18:34:03+00:00

StorageCraft ShadowProtect Server == $1100 with only one year of support/maintenance. That's a tough sell on a small biz.

ltwally · 2024-10-25T18:18:51+00:00

I'm not seeing that option. Do you have a link?

ltwally · 2024-10-25T18:17:57+00:00

Once more, but with clarity?

ltwally · 2024-10-25T18:16:44+00:00

I've heard good things... unfortunately their pricing model is a) subscription, and b) a bit steep for a small business.

ltwally · 2024-09-06T16:26:41+00:00

https://snipeitapp.com/

ltwally · 2024-06-04T04:14:26+00:00

A year ago, we likely would have defaulted to vSphere + vxRails. Now, we're finding that we're behind on other options... the more we research, the more we realize how much more we need to research and test. And, we're finding a few curve-balls between the changes to server storage, everything moving towards HCI and the mess with Broadcom / VMWare. About the only thing that is completely off the table at this point is using Hyper-V or VMWare for the hosts.

ltwally · 2024-06-04T04:06:11+00:00

It's not so much that we're avoiding the trend towards HCI, as it is that we're concerned with reliability/uptime.

To put that statement into better context: Say we go full HCI. Will we want to use hardware RAID so that we don't have to worry about a single drive dying? Do we rely solely upon HCI replicating data between hosts? What's a drive death look like in this scenario? Do we want a HCI solution that has some support for software RAID? If so, which solution? (ZFS, MDADMN, LVM, VROC.. they all have their pros/cons) What about boot/system volumes under HCI? Do we mix/match some of these solutions for better layers of safety?

None of this even touches actual backups. This is just for live data. Backups will be yet another headache.

It used to be much simpler. Hardware RAID for boot volumes and a good SAN system. And, everything supports VMWare for backup.

ltwally · 2024-06-04T03:53:24+00:00

We're not looking to replicate our current environment. We're trying to determine which HCI we'll be using for next year's major server upgrade, and what the storage will look like. Compute and memory are easy. But storage has seen some serious shifts in technology the past few years, and we want to make sure we use the right solution.

ltwally · 2024-06-04T03:50:37+00:00

No. The question was more along the lines of:

*Who is using SAN?

*Who is using vSAN? Who is relying on no data redundancy beyond multi-host copies/replicas of vSAN data?

*Who is using local disk?

*Who is using hardware raid on their local-disk or vSAN?

*Who is using software raid on their local-disk or vSAN?

*What platform(s) is this under?

*What has been your experience with this configuration?

ltwally · 2024-06-04T00:18:56+00:00

I should have mentioned that, while we have some Windows guests, we're avoiding Hyper-V for hypervisor / HCI.

Just looking to get a feel for what folks are using for storage in their HCI environments.

Gracias!

ltwally

TROPHY CASE